Evasive Composite Document Files

[seanthegeek]

I've come across a few samples that are fairly evasive samples that are password protected Composite Document Files (password supplied to target by phishing email)

Cuckoo does not pass the password to word when opening the file. Can this be added to human.py?

Once the macro is run, it abuses ping to delay the execution of the dropper, e.g.:

PING.EXE ping 8.8.8.8 -n 250

Can cuckoomon be modified to bypass this?

Example: sample: 6874c1e78476d7afa714a5f688de40d0e7a92e9a (on VT)

I no longer have the password for that unfortunately.

[doomedraven]

for office it done with

mkdir work
git clone https://github.com/herumi/cybozulib
git clone https://github.com/herumi/msoffice
cd msoffice
make -j RELEASE=1
mkdir -p /opt/cuckcoo/data/msoffice/
cp bin/msoffice-crypt.exe $CUCKOO_ROOT/data/msoffice/

and specify option password=X

I was thinking about how to handle ping but at the moment no time, but it realy headache to set timeout extended to detonate that samples

[spender-sandbox]

Already mentioned here about one way ping can be dealt with: https://github.com/spender-sandbox/cuckoo-modified/issues/319

[zashraf1337]

@doomedraven do you have any thoughts on https://github.com/spender-sandbox/cuckoo-modified/issues/441 - thanks.

[doomedraven]

no, i didn't check it

[zashraf1337]

we can also integrate this https://github.com/nolze/ms-offcrypto-tool